Microsoft Zero-Day IE Flaw Being Actively Exploited

The flaw, which was publically disclosed by security firm Rapid7 Monday morning, can be exploited users running Internet Explorer on Windows XP, Vista and Windows 7.

"Computers can get compromised simply by visiting a malicious website, which gives the attacker the same privileges as the current user," wrote Rapid7 exploit developer "sinn3r".

The researcher responsible for the discovery, Eric Romang, tested the Internet Explorer flaw on a system running an up-to-date Windows XP SP3. However, he confirmed that Windows 8 (preview versions and RTM versions) is the only Microsoft OS that is not vulnerable to the hack. Also, the test version of Internet Explorer 10 is not vulnerable to attack.

Microsoft confirmed in its security advisory that it "is aware of targeted attacks that attempt to exploit this vulnerability" and is actively investigating the disclosure. However, Microsoft did not provide exploitation number or rate stats.

According to security researchers, the active attacks have used the Poison Ivy backdoor Trojan kit -- the same toolkit that was used in the recent Java zero-day attacks.

While the company did not give a timetable of if and when a security update would arrive, Microsoft's Yunsun Wee of the Trustworthy Computing Group outlined a temporary workaround, which includes deploying the Enhanced Mitigation Experience Toolkit (EMET); setting Internet security zones to "high" and disabling Active Scripting before using Internet Explorer.

Andrew Storms, nCircle's director of security operations, commented in a blog post that Microsoft's workaround may not be enough to protect a system from attack. "EMET is a great tool, but at this point, it's not clear that EMET blocks every attack vector," wrote Storms. "If you haven't already deployed this toolkit, it's a great time to think about it, but not a great time to do so in a hurry."

Storms also said he believes that Microsoft will not wait until next month's security update to release a fix.

Rapid7 also provided its own workaround that does not involve the EMET: "Since Microsoft has not released a patch for this vulnerability yet, Internet users are strongly advised to switch to other browsers, such as Chrome or Firefox, until a security update becomes available," wrote "sinn3r".